ci(stack): blocking FTA complexity gate for EQL v3#539
Conversation
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
The v3 encrypt config keys columns by DB name (`column.getName()`), but the shared model path matched user models against those DB-name keys while models — and the typed model types — are keyed by JS property. For any column whose JS property differs from its DB name (e.g. `createdOn: encryptedDateColumn( 'created_on')`) the field never matched, so `encryptModel` silently stored it as PLAINTEXT and `decryptModel` skipped `Date` reconstruction. Add `BuildableTable.buildColumnKeyMap()` (property -> DB name), implemented by v3 `EncryptedTable`, and route the model path through `resolveEncryptColumnMap()`: match models by JS property, address the FFI/config by DB name. `reconstructRow` now keys dates by property. v2 tables omit the map and fall back to identity, so v2 behavior is unchanged. Rework the schema-v3 date round-trip to exercise the typed `decryptModel` Date reconstruction (single-value `decrypt` returns an ISO string by design, so the old strict `toEqual(Date)` could never hold), and add regression coverage: - non-live: `resolveEncryptColumnMap`/`buildColumnKeyMap` mapping and a property-vs-DB-name `reconstructRow` case via the fake-client harness; - live: property-vs-DB-name model encrypt (no plaintext leak) + decrypt. Also drop the int8 (bigint) domain from the v3 SDK surface until the native FFI round-trips bigint losslessly, removing the now-dead bigint reconstruction path.
Add a per-package Fast TypeScript Analyzer (fta-cli) gate scoped to the EQL v3 text-search schema source (packages/stack/src/schema/v3). The gate fails CI when any v3 file exceeds the FTA score cap. - pin fta-cli@3.0.0 as a stack devDependency (repo installs tooling via frozen-lockfile; no pnpm dlx/npx per supply-chain policy) - add analyze:complexity script: fta src/schema/v3 --score-cap 72 (current v3 score is 71.08, so the cap blocks regressions) - add paths-filtered blocking workflow .github/workflows/fta-v3.yml; no build/DB/credentials needed (FTA is static source analysis)
83649f8 to
dce9884
Compare
What
Adds a blocking per-package complexity gate using FTA (Fast TypeScript Analyzer), scoped to the new EQL v3 text-search schema source only.
Stacked on
feat/eql-v3-text-search-schema.Why
Nothing in the repo currently guards code complexity (Biome = lint/format, tsc/vitest = types/tests). This catches complexity regressions in the v3 schema before they land. Starting with v3 as the per-package template; more packages can be added as sibling workflows/scripts later.
Changes
fta-cli@3.0.0as a@cipherstash/stackdevDependency. Delivered viapnpm install --frozen-lockfile+ a package script — nopnpm dlx/npx, matching the repo's supply-chain policy (minimumReleaseAge,blockExoticSubdeps). 3.0.0 (published 2025-07-25) clears the 7-day quarantine.analyze:complexity→fta src/schema/v3 --score-cap 72. Current v3 score is 71.08, so the tight cap blocks essentially any regression..github/workflows/fta-v3.yml:paths-filtered (packages/stack/src/schema/v3/**,packages/stack/package.json, the workflow file),blacksmith-4vcpu-ubuntu-2404,contents: read. FTA is static source analysis, so no build / DB / credentials. Non-zero exit fails the check (nocontinue-on-error).Verification
pnpm install --frozen-lockfile— consistentanalyze:complexitypass case (71.08 vs cap 72) → exit 0--score-cap 60) → exit 1lint:runners,lint:workflow-cache,test:scripts— all passNotes
paths:filter means PRs not touching v3 will show it pending — add a shim job or drop the filter if that bites.